WIP: add objectfilters #228
Conversation
Signed-off-by: duncan485 <[email protected]>
|
Thanks @JaydipGabani , I'd say this also closes #24 |
|
@JaydipGabani Can this one be merged? |
|
@maxsmythe @ritazh @sozercan PTAL |
waiting for one more review at least. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #228 +/- ##
==========================================
+ Coverage 57.16% 62.83% +5.67%
==========================================
Files 1 1
Lines 572 479 -93
==========================================
- Hits 327 301 -26
+ Misses 181 114 -67
Partials 64 64
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| Mapper: mgr.GetRESTMapper(), | ||
| DefaultNamespaces: namespaces, | ||
| }) | ||
| ObjectFilers := make(map[client.Object]cache.ByObject) |
There was a problem hiding this comment.
| ObjectFilers := make(map[client.Object]cache.ByObject) | |
| objectFilers := make(map[client.Object]cache.ByObject) |
| } | ||
| } | ||
|
|
||
| ObjectFilers[&corev1.Secret{}] = cache.ByObject{ |
There was a problem hiding this comment.
@duncan485 can we add tests for this?
|
While writing tests, I found that this doesn't work with multiple webhooks, it will only add the last added webhook in the filter. I'm putting this back in WIP, and continue this when I get to it. |
Are you talking about multiple webhooks of the same type?, The map cert-controller/pkg/rotator/rotator.go Lines 199 to 205 in 7e39bd7 We can assign exactly one field selector per GVK, and since field selectors do not support set-based operators, we can only target one value. |
|
Yes exactly, that's while experimenting, what I found. Taking a step back, my goal is to limit the the cache to only the web-hooks that are needed/configured for the cert-controller, so in the end I can setup the K8S role, limited by resourceNames. apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: role
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- get
- list
- update
- watch
resourceNames: <---
- webhooka
- webhookbIf you have a suggestion to how this could be accomplished, please let me know and I'd be happy to dig in. |
To support name-based filters, I think controller-runtime would have to implement delegating caches for every resource name. Right now, it implements a delegating cache for every resource (identified by its GroupVersionKind) [1]. One option is to propose per-resource caching to contoller-runtime. But that proposal might not be accepted, since most controllers (I"m assuming here) built with controller-runtime reconcile a group of resources across namespaces, and they don't need the cache granularity you're looking to add to cert-controller. Another option is to implement a per-resource cache in cert-controller. And finally, there's a "hack" that would work: reference resource names in the RBAC, apply a label to the resources, and use a label selector in cert-controller. (This would break cert-controller when the label is applied to a resource that isn't referenced in RBAC). 1: https://github.com/kubernetes-sigs/controller-runtime/blob/main/designs/cache_options.md |
I ran into the issue that we cannot set resourceNames in (cluster)Role.rules.resourceNames because the cache/watch includes all the object of a kind in the selected namespace. This PR will limit the cache to only the secrets and webhooks that are needed for the cert-controller.
I tested this locally and verified it works, any feedback would be much appreciated.;